NIST 800-53 Rev 5 Update

Winter is Coming

Reminder:  The planned winter release of NIST 800-53 Revision 5 Security and Privacy Controls for Systems and Organizations now has a date and it is December 27, 2018. The draft version is available at and the last public draft for final review is out on September 14, 2018. We recommended that you start reviewing it now so you will know ahead of time how the new standard impacts your current implementation and support documentation.

The key objectives of this standard are to provide a comprehensive set of safeguarding measures that make your systems more resistant to attacks; limit the damage from any attacks that occur and increase the systems survivability. The following includes the latest information from the NIST Computer Security Resource Center regarding the changes expected in Revision 5.

  • Making the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
  • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
  • Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
  • Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
  • Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability…”